curl-library
[PATCH] axtls.c: honoring VERIFYHOST option
From: Aleksey Tulinov <aleksey.tulinov_at_gmail.com>
Date: Fri, 7 Jun 2013 16:54:26 +0300
Date: Fri, 7 Jun 2013 16:54:26 +0300
--- lib/axtls.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/lib/axtls.c b/lib/axtls.c index 59c8a83..9e2f3cd 100644 --- a/lib/axtls.c +++ b/lib/axtls.c @@ -342,21 +342,29 @@ Curl_axtls_connect(struct connectdata *conn, /* RFC2818 checks */ if(found_subject_alt_names && !found_subject_alt_name_matching_conn) { /* Break connection ! */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); } else if(found_subject_alt_names == 0) { /* Per RFC2818, when no Subject Alt Names were available, examine the peer CN as a legacy fallback */ peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME); if(peer_CN == NULL) { - /* Similar behaviour to the OpenSSL interface */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "unable to obtain common name from peer certificate"); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + /* Similar behaviour to the OpenSSL interface */ + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "unable to obtain common name from peer certificate"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "unable to obtain common name from peer certificate"); } else { if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) { -- 1.7.9.5 ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2001-09-17